Helm's Missing YAML Content Leads To Panic
Description
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the LoadIndexFile or DownloadIndexFile functions in the repo package or the LoadDir function in the plugin package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use recover to catch the panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helm/v3Go | < 3.14.2 | 3.14.2 |
Affected products
169- osv-coords168 versionspkg:apk/chainguard/cert-manager-1.12pkg:apk/chainguard/cert-manager-1.12-acmesolverpkg:apk/chainguard/cert-manager-1.12-cainjectorpkg:apk/chainguard/cert-manager-1.12-controllerpkg:apk/chainguard/cert-manager-1.12-webhookpkg:apk/chainguard/cert-manager-1.13pkg:apk/chainguard/cert-manager-1.13-acmesolverpkg:apk/chainguard/cert-manager-1.13-cainjectorpkg:apk/chainguard/cert-manager-1.13-controllerpkg:apk/chainguard/cert-manager-1.13-webhookpkg:apk/chainguard/cert-manager-1.14pkg:apk/chainguard/cert-manager-1.14-acmesolverpkg:apk/chainguard/cert-manager-1.14-cainjectorpkg:apk/chainguard/cert-manager-1.14-controllerpkg:apk/chainguard/cert-manager-1.14-startupapicheckpkg:apk/chainguard/cert-manager-1.14-webhookpkg:apk/chainguard/cert-manager-acmesolver-1.12pkg:apk/chainguard/cert-manager-acmesolver-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-acmesolver-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-acmesolver-fips-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-cainjector-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-cainjector-fips-1.12pkg:apk/chainguard/cert-manager-controller-1.12pkg:apk/chainguard/cert-manager-controller-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-controller-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-controller-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12-acmesolverpkg:apk/chainguard/cert-manager-fips-1.12-cainjectorpkg:apk/chainguard/cert-manager-fips-1.12-cmctlpkg:apk/chainguard/cert-manager-fips-1.12-controllerpkg:apk/chainguard/cert-manager-fips-1.12-webhookpkg:apk/chainguard/cert-manager-fips-1.13pkg:apk/chainguard/cert-manager-fips-1.13-acmesolverpkg:apk/chainguard/cert-manager-fips-1.13-cainjectorpkg:apk/chainguard/cert-manager-fips-1.13-cmctlpkg:apk/chainguard/cert-manager-fips-1.13-controllerpkg:apk/chainguard/cert-manager-fips-1.13-webhookpkg:apk/chainguard/cert-manager-fips-1.14pkg:apk/chainguard/cert-manager-fips-1.14-acmesolverpkg:apk/chainguard/cert-manager-fips-1.14-cainjectorpkg:apk/chainguard/cert-manager-fips-1.14-cmctlpkg:apk/chainguard/cert-manager-fips-1.14-controllerpkg:apk/chainguard/cert-manager-fips-1.14-startupapicheckpkg:apk/chainguard/cert-manager-fips-1.14-webhookpkg:apk/chainguard/cert-manager-webhook-1.12pkg:apk/chainguard/cert-manager-webhook-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-webhook-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-webhook-fips-1.12pkg:apk/chainguard/chartmuseumpkg:apk/chainguard/cilium-clipkg:apk/chainguard/cmctl-1.12pkg:apk/chainguard/cmctl-1.12-fipspkg:apk/chainguard/cmctl-1.13pkg:apk/chainguard/cmctl-1.13-fipspkg:apk/chainguard/cmctl-1.14pkg:apk/chainguard/cmctl-1.14-fipspkg:apk/chainguard/cmctl-fips-1.12pkg:apk/chainguard/eksctlpkg:apk/chainguard/fluxcd-source-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controllerpkg:apk/chainguard/flux-helm-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controller-iamguarded-compatpkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-bitnami-compatpkg:apk/chainguard/flux-source-controller-iamguarded-compatpkg:apk/chainguard/helm-fipspkg:apk/chainguard/helm-fips-3pkg:apk/chainguard/helm-fips-4pkg:apk/chainguard/helm-operatorpkg:apk/chainguard/helm-operator-compatpkg:apk/chainguard/helm-pushpkg:apk/chainguard/istio-cni-fips-1.20pkg:apk/chainguard/istio-cni-fips-1.20-compatpkg:apk/chainguard/istio-fips-1.20pkg:apk/chainguard/istio-install-cni-fips-1.20pkg:apk/chainguard/istio-install-cni-fips-1.20-compatpkg:apk/chainguard/istio-operator-1.19pkg:apk/chainguard/istio-operator-1.20pkg:apk/chainguard/istio-operator-fips-1.19pkg:apk/chainguard/istio-operator-fips-1.20pkg:apk/chainguard/istio-pilot-agent-fips-1.20pkg:apk/chainguard/istio-pilot-agent-fips-1.20-compatpkg:apk/chainguard/istio-pilot-discovery-fips-1.20pkg:apk/chainguard/k8sgptpkg:apk/chainguard/k9spkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/kubevelapkg:apk/chainguard/kubevela-vela-clipkg:apk/chainguard/kubevela-vela-corepkg:apk/chainguard/kubevela-vela-core-compatpkg:apk/chainguard/trivypkg:apk/chainguard/uppkg:apk/chainguard/vela-clipkg:apk/chainguard/vela-corepkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/cert-manager-1.12pkg:apk/wolfi/cert-manager-1.12-acmesolverpkg:apk/wolfi/cert-manager-1.12-cainjectorpkg:apk/wolfi/cert-manager-1.12-controllerpkg:apk/wolfi/cert-manager-1.12-webhookpkg:apk/wolfi/cert-manager-1.13pkg:apk/wolfi/cert-manager-1.13-acmesolverpkg:apk/wolfi/cert-manager-1.13-cainjectorpkg:apk/wolfi/cert-manager-1.13-controllerpkg:apk/wolfi/cert-manager-1.13-webhookpkg:apk/wolfi/cert-manager-1.14pkg:apk/wolfi/cert-manager-1.14-acmesolverpkg:apk/wolfi/cert-manager-1.14-cainjectorpkg:apk/wolfi/cert-manager-1.14-controllerpkg:apk/wolfi/cert-manager-1.14-startupapicheckpkg:apk/wolfi/cert-manager-1.14-webhookpkg:apk/wolfi/chartmuseumpkg:apk/wolfi/cilium-clipkg:apk/wolfi/cmctl-1.12pkg:apk/wolfi/cmctl-1.13pkg:apk/wolfi/cmctl-1.14pkg:apk/wolfi/eksctlpkg:apk/wolfi/fluxcd-source-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controllerpkg:apk/wolfi/flux-helm-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controller-iamguarded-compatpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/flux-source-controller-bitnami-compatpkg:apk/wolfi/flux-source-controller-iamguarded-compatpkg:apk/wolfi/helm-operatorpkg:apk/wolfi/helm-operator-compatpkg:apk/wolfi/helm-pushpkg:apk/wolfi/istio-operator-1.19pkg:apk/wolfi/istio-operator-1.20pkg:apk/wolfi/k8sgptpkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/kubevelapkg:apk/wolfi/kubevela-vela-clipkg:apk/wolfi/kubevela-vela-corepkg:apk/wolfi/kubevela-vela-core-compatpkg:apk/wolfi/trivypkg:apk/wolfi/uppkg:apk/wolfi/vela-clipkg:apk/wolfi/vela-corepkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:bitnami/helmpkg:golang/helm.sh/helm/v3pkg:rpm/opensuse/cmctl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/helm&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/helm&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/k9s&distro=openSUSE%20Tumbleweedpkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/helm&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/helm&distro=SUSE%20Linux%20Micro%206.1
< 1.12.8-r0+ 167 more
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 0.16.1-r3
- (no CPE)range: < 0.15.23-r2
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.3-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 0.172.0-r1
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.33.0-r3
- (no CPE)range: < 1.33.0-r3
- (no CPE)range: < 0.10.4-r3
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 0.3.27-r2
- (no CPE)range: < 0.31.9-r1
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 3.0.3-r8
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.49.1-r2
- (no CPE)range: < 0.24.1-r3
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.32.4-r0
- (no CPE)range: < 2.0.1-r5
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 0.16.1-r3
- (no CPE)range: < 0.15.23-r2
- (no CPE)range: < 1.12.8-r0
- (no CPE)range: < 1.13.4-r0
- (no CPE)range: < 1.14.2-r2
- (no CPE)range: < 0.172.0-r1
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 0.37.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 1.2.4-r2
- (no CPE)range: < 1.33.0-r3
- (no CPE)range: < 1.33.0-r3
- (no CPE)range: < 0.10.4-r3
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r2
- (no CPE)range: < 0.3.27-r2
- (no CPE)range: < 0.31.9-r1
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 1.107.7-r0
- (no CPE)range: < 3.0.3-r8
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.49.1-r2
- (no CPE)range: < 0.24.1-r3
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.32.4-r0
- (no CPE)range: < 2.0.1-r5
- (no CPE)range: < 3.14.2
- (no CPE)range: < 3.14.2
- (no CPE)range: < 1.14.4-1.1
- (no CPE)range: < 3.19.2-1.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.14.2-1.1
- (no CPE)range: < 0.32.4-2.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.17.2-1.1
- (no CPE)range: < 3.17.2-slfo.1.1_1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-r53h-jv2g-vpx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26147ghsaADVISORY
- github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580afghsax_refsource_MISCWEB
- github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.